Task 1 is just confirming that you understand the rules of the challenge, so let’s move on to Task 2:
Background Information:
You are Aleks Juulut, a private eye based out of Greenland. You don’t usually work digitally, but have recently discovered OSINT techniques to make that aspect of your job much easier. You were recently hired by a mysterious person under the moniker “H” to investigate a suspected cheater, named Thomas Straussman.
After a brief phone-call with his wife, Francesca Hodgerint, you’ve learned that he’s been acting suspicious lately, but she isn’t sure exactly what he could be doing wrong. She wants you to investigate him and report back anything you find. Unfortunately, you’re out of the country on a family emergency and cannot get back to Greenland to meet the deadline of the investigation, so you’re going to have to do all of it digitally. Good luck!
Question #1: Who hired you?
From reading through the background info, we can see that “H” has hired us.
ks{H}
Question #2: Who are you investigating? (ks{firstname lastname})
Same deal here, just read the background info.
ks{Thomas Straussman}
Task 3 gets more in-depth after you find an online handle, “tstraussman”. The challenge author notes that this handle will ONLY be found on Twitter and Reddit, so as not to disturb or investigate people who may coincidentally have the same usernames elsewhere.
If you do a Google search, the correct two will pop up:
Question#1: What is Thomas' favorite holiday?
Here is his Twitter profile:
Right in his Bio he mentions Christmas, or X-mas.
Christmas
Question#2: What is Thomas' birth date?
On his Reddit profile, he has just one post, about his 30th birthday:
It just says “3 months ago” on the post, but you can actually hover over that and it will give you the correct info:
12–20–1990
Question#3: What is Thomas' fiancee's Twitter handle?
You can see that Thomas interacts with a lot of Tweets from his fiance, Francesca:
@FHodgelink
Question#4: What is Thomas' background picture of?
You can see from the picture above and his bio description that it is Buddha.
Buddha
For Task 4 there is a tutorial showing you how to install and use the tools needed, Spiderfoot, and the latest version of Python 3.
At this point I ended up having issues with cherry.py and a bunch of other things (I was using the TryHackMe attack box), but I was able to Google my way through them using the error messages to eventually get to this:
Then I pulled up the instance in a browser:
I started setting up a new scan:
Here are the results:
You can see this picked up the same things as Google did earlier:
Question#1: What was the source module used to find these accounts?
sfp_accounts
Question#2: Check the shadowban API. What is the value of “search”?
Click on the Twitter result and it will open up this in a new tab:
ks{1346173539712380929}
Task 5 talks about installing an extension called RevEye, which lets you right-click and then look up images in various search engines, enabling you to find more information about them quickly.
Question#1: Where did Thomas and his fiancee vacation to?
Francesca has posted a photo of their time in Germany:
A quick image search reveals that it is a photo of Deutsches Eck in Koblenz, Germany
Koblenz,Germany
Question#2: When is Francesca’s Mother’s birthday? (without the year)
You can see here that Francesca’s mom’s birthday is on Christmas:
December 25th
Question#3: What is the name of their cat?
Gotank
Question#4: What show does Francesca like to watch?
Francesca has multiple posts referencing 90 Day Fiance:
I will admit that I am also a huge fan, lol. That stupid show got me through the first couple months of COVID:
90 Day Fiance
The final task, Task 6, has us going through that Reddit page in the Wayback Machine. The challenge author mentions using the older version of Reddit since it works better in this case.
After inputting that URL into the Wayback Machine, we can see that it has been saved two times since late 2020:
Question#1: What is the name of Thomas’ coworker?
Looking at the 12/21/2020 version, if you navigate to the birthday post you will see a guy named Hans commenting:
His username is /minikhans. From this we can deduce his full name.
Hans Minik
Question#2: Where does his coworker live?
Now that we have his username we can go through his posts:
You can see on his profile that he says “Nuuk” is the best.
He also mentions how he was born in Greenland.
Nuuk, Greenland
Question#3: What is the paste ID for the link we found? (flag format)
So Hans actually has 4 captures in the Wayback Machine.
The March 23rd capture includes a link to Ghostbin:
This takes you to a document exposing Thomas!
ks{ww4ju}
Question#4: Password for the next link? (flag format)
You can see this within the document we just found:
ks{1qaz2wsx}
Question#5: What is the name of Thomas’ mistress?
Follow the link but add in the password to the URL, like so:
Here, you will find proof that Thomas has been cheating on Francesca. :(
Emilia Moller
Question#6: What is Thomas’ Email address?
straussmanthom@mail.com
I think the funniest part of all of this is that Francesca is the fan of 90 Day Fiance, but Thomas is the one who is apparently getting duped by someone from another country, just like on the show…
Happy Hacking! ❤
